I've been using signed ssh keys on Ubuntu 14, which uses openssh 6.6 like this:
ssh -i path/private_key root#server
This tries to find file path/private_key-cert.pub and if it finds it and it is a certificate file, it is used to complete the ssh connection and I can ssh to the server. Works perfect!
However this does not work on a server with openssh 7.2. The message I get is
sign_and_send_pubkey: no private key for certificate "/private_key-cert"
Seems that there are changes between openssh versions 6.x and 7.2 . How can I make this to work using openssh 7.2?
Thanks
Related
Problem:
I am trying to use OpenSSH Agent in Windows 10 Pro. It is loading the keys but not forwarding to the host.
Goal:
I am attempting to get ssh-agent to work in Windows so I don't have to keep entering my passphrase for my private key (with the ultimate goal of getting this to work with VS Code Remote-SSH Extension as well as on the command line).
What I've Tried:
I am using Windows 10 Pro 21H2 build 19044.1865. I have OpenSSH installed. In Powershell (admin mode), I use ssh-add to add my private key and confirm by doing ssh-add -L which shows the key is loaded (X'd out in example):
ssh-add -L
ssh-ed25519 XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX (redacted)
I then attempt ssh -A username#serverip and it prompts me for my passphrase. The expected behavior is that it would not prompt me for my passphrase, it would simply obtain the key from the ssh-agent service. I have tried both rsa and ed25519 keys formatted as OpenSSH keys with the same result.
If I enter my passphrase I immediately connect. I have tried all the suggestions I could find online including:
killing all ssh-agent processes shown in task manager and restarting
starting and restarting the OpenSSH Authentication Agent
fixing the permissions on my keys so only I as owner have access
It appears that the ssh-agent has loaded the key but is simply not passing it on to my server for some reason. Using the -v (verbose) option shows no attempt to use ssh-agent forwarding. I have used putty/pageant successfully and have even tried wsl-ssh-pageant which seems to work, loading my key from pageant (the Pageant keys viewable as loaded after doing ssh-add -L) but they are ignored when I attempt a connection (again nothing in the verbose output shows attempt to use the ssh-agent). The OpenSSH agent is clearly running in Windows services.
Any suggestions or help ? Thank you.
I'm trying to pass from Putty/Pagent/plink to Windows OpenSSH native client.
I already managed to do this in TortoiseGit, but with the main problem with VSCode seem to be I can't set which ssh agent to use.
I enabled the OpenSSH agent service on Windows to start automatically and added my open ssh key with ssh-add.
Every time i try to push from VSCode all i got is an error message with
Git: FATAL ERROR: Disconnected: No supported authentication methods available (server sent: public key)
When trying to push from terminal I got also
Please make sure you have the correct access rights and the repository exists.
As already said, with TortoiseGit I have no problem at all, and the only differences are that in TortoiseGit I set the ssh-agent.
you might need to confirm your System environment variable GIT_SSH points to the ssh within Git: C:\Program Files\Git\usr\bin\ssh.exe
You may need to update your Windows OpenSSH. If you run ssh -V from a PowerShell window and see OpenSSH_for_Windows_7.7p1, this is probably the case. The instructions for upgrading are available in the Install Win32 OpenSSH Wiki.
General
VS Code uses the Windows version of OpenSSH.
The config file that you change in VS Code is located in /Users/<username>/.ssh/config
The default location/name of a key is at /Users/<username>/.ssh/id_rsa.
Example
Local: Windows 10 machine with VS Code and the very awesome Remote - SSH extension installed
Remote: Ubuntu, where I use git for development and need my private key available
Since the remote is shared, I want to use SSH agent forwarding and keep my private key(s) on my local machine
Config file:
Host mybox
HostName actual.ip.or.name.of.mybox.com
User myusername
IdentityFile ~/.ssh/id_rsa
ForwardAgent yes
PowerShell Commands (Run as Administrator)
Start-Service ssh-agent
ssh-add C:\Users\<username>\.ssh\id_rsa # private key to add
ssh-add -L # list keys added
Set-Service ssh-agent -StartupType Automatic # optional
I keep most of my personal projects on BitBucket by Atlassian. As a natural choice, I use SourceTree app (their product) as git GUI client on Windows, and I'm happy with it. For projects where ssh git is available, I prefer ssh over https. SourceTree plays very well with projects hosted on BitBucket. Although it offers both of ssh agents: OpenSSH or PuTTY, its default selection is PuTTY/Plink (perhaps because PuTTY is more Windows-familiar).
Recently my establishment requested to host some projects on its own server. At first look it's a git server using GitLab opensource. I can use SourceTree with project hosted here using https just fine, however when it comes to ssh, the only choice of SSH agent is OpenSSH. The only key pair it would use (unless specified in config) is ~/.ssh/id_rsa.pub and ~/.ssh/id_rsa (located in %USERPROFILE%\.ssh\
I've tried to:
Load ~/.ssh/id_rsa into PuTTY Key Generator
Convert it to PuTTY format (.ppk) file
Load the .ppk into Pageant (PuTTY authentication agent).
Despite the key being loaded and kept in the memory by Pageant, the connection with the server failed all the time, e.g. git: fatal: Could not read from remote repository. The only way to make it work is to start ssh-agent and ssh-add (go with OpenSSH).
Since I have Pageant running usually in the background, I find it more convenient to use (e.g. the keyphrase to open the private key is long/complex, and I don't remember it, and it can be copy-pasted from KeePass, while in the case of OpenSSH, cmd console does not allow me to paste it, too bad).
Is there anyway to make the ssh authentication to GitLab done via PuTTY instead of OpenSSH?
Did you connect to the SSH server using PuTTY before using plink? If not a reason could be that plink is refusing to connect to the server, because the ssh hostkey isn't verified yet. Another reason could be that the SSH server requires ciphers which are not supported by PuTTY. You can only find out if you connect with PuTTY with the same version as plink.
Use TortoiseGitPlink (from TortoiseGit) to circumvent this issue, as it will popup a messagebox asking whether to accept the hostkey or not.
I want to switch from Putty to OpenSSH for SSH connections in windows to our servers. I want to use OpenSSH only as client and I have a private key with additional passphrase.
I tried to connect to my server and OpenSSH loads the keyfile, but everytime I enter the passphrase, it seems that it isn't correct.
C:\Users\user>ssh -i D:\folder\.ssh\private_key user#host
Enter passphrase for key 'D:\folder\.ssh\private_key':
Enter passphrase for key 'D:\folder\.ssh\private_key':
Enter passphrase for key 'D:\folder\.ssh\private_key':
user#host's password:
You can see, my keyfiles are not located in the standard folder. I don't think that this is the problem, so only fyi.
What is the problem? I installed OpenSSH with the standard configuration and changed nothing.
Edit:
I also tried a different keyfile on an other server which has also a passphrase: this also doesn't work. Is that maybe a problem in configuration?
I'm sorry.
I discovered that I load a very old version. I think I get it from sourceforge and the executables are very outdated (year 2003 to 2004).
You can get a actual version from github: https://github.com/PowerShell/Win32-OpenSSH/releases/. I don't know if this is the official release. It's a bit confusing.
I have connected to a server via SFTP using FileZilla and accepted adding the server's SSH key to the key cache in FileZilla.
How can I extract this cached key to a keyfile so that may use it through other SFTP applications that require a keyfile be made available?
I have not been able to find anything in the FileZilla documentation related to this.
If you use the standard openssh console client (cygwin or from linux), host keys are stored, one-per-line, in ~/.ssh/known_hosts. From there, it's a simple matter of figuring out which bit of that host key is needed for your library.
Putty also stores host keys, but it appears to encode them in hex. Those can be found at HKCUR\Software\SimonTatham\PuTTY\SshHostKeys
Thomas was correct. FileZilla piggybacks on PuTTY's PSFTP program and stores the saved keys encoded in a hex format at the registry key he listed (HKCUR\Software\SimonTatham\PuTTY\SshHostKeys). I needed the key in known_hosts format, so I has able to install a windows version of openssh at his recommendation and used the ssh-keyscan tool to hit the server and save the key info out in the correct format:
ssh-keyscan -t rsa <my_ftp_ip_address> > c:\known_hosts
ssh-keyscan -t dsa <my_ftp_ip_address> > c:\known_hosts
Thank you Thomas and SO!
If you'd rather use a GUI, you can snag the host key from the log window or the first-time connection popup using WinSCP FTP client: https://winscp.net/eng/docs/ssh_verifying_the_host_key
Thanks Dougman for the tip!
To further help any newcomers reading your answer.
Prior to running the ssh-keyscan, assuming the openssh is install by default, there is a few commands that needs to be run (read the quickstart/readme install for details).
Here are my commands which allow me to obtain the host key.
C:\Program Files\OpenSSH\bin>mkgroup -l >> ..\etc\group
C:\Program Files\OpenSSH\bin>mkpasswd -l >> ..\etc\passwd
C:\Program Files\OpenSSH\bin>net start opensshd
The OpenSSH Server service is starting.
The OpenSSH Server service was started successfully.
C:\Program Files\OpenSSH\bin>ssh-keyscan -t rsa vivo.sg.m.com > c:\known_hosts
vivo.sg.m.com SSH-2.0-Sun_SSH_1.1
Unless I am misunderstanding you: you don't need to.
If you connect to the server with another application (ie: PuTTY) and it has not seen the server before then you will be prompted to accept the key.
I see why you might want to do this, but each application could have it's own way to store keys.